mysql_real_escape_string还不够好吗? [英] mysql_real_escape_string not good enough?
问题描述
因此,即使使用mysql_real_escape_string
%27) SQL INJECTION HERE %2F*
该怎么办?
使用示例进行
$sql = sprintf("SELECT *, MATCH(post) AGAINST ('%s*' IN BOOLEAN MODE) AS score FROM Posts WHERE MATCH(post) AGAINST('%s*' IN BOOLEAN MODE)",
mysql_real_escape_string($_GET['searchterm']),
mysql_real_escape_string($_GET['searchterm']));
$results = $db->queryAsArray($sql);
如果将%27) SQL INJECTION HERE %2F*传递给搜索词查询字符串,则会在页面上输出:
If you pass in %27) SQL INJECTION HERE %2F* to the searchterm querystring, I get outputted on the page:
您的SQL语法有错误; 检查对应的手册 您的MySQL服务器版本 在'BOOLEAN附近使用正确的语法 MODE)'在第1行
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'BOOLEAN MODE)' at line 1
感谢大家在db类中发现问题.
Thanks everyone for finding the problem in the db class..
推荐答案
Reasoning from the method name queryAsArray, it seems that you’re using this DbBase class from the comments of the MySQL functions manual page. If so, it’s the query method that removes the escape character from the escaped quotation marks:
function query($sql, &$records = null){
$sql = str_replace(array('\\"', "\\'"), array('"', "'"), $sql);
// …
}
那么您的示例有效(我简化了)并不是奇迹:
Then it’s not a miracle that your example works (I simplified it):
$input = "', BAD SQL INJECTION --";
$sql = "SELECT '".mysql_real_escape_string($input)."'";
var_dump($sql); // string(33) "SELECT '\', BAD SQL INJECTION --'"
// everything’s OK ↑
$sql = str_replace(array('\\"', "\\'"), array('"', "'"), $sql);
var_dump($sql); // string(32) "SELECT '', BAD SQL INJECTION --'"
// Oops! ↑
这篇关于mysql_real_escape_string还不够好吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
